 
  

 






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<html>

<!-- Mirrored from www.javapractices.com/topic/TopicAction.do;jsessionid=4FCCB481C702D708A7360133D128E359?Id=217 by HTTrack Website Copier/3.x [XR&CO'2010], Sun, 12 Jun 2011 17:26:54 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8"><!-- /Added by HTTrack -->
<head>
 <title>
  Java Practices -> Beware of common hacks
 </title>
 <link rel="stylesheet" type="text/css" href="../stylesheet8.css" media="all">
 
 <link rel="shortcut icon" href='../images/favicon.ico' type="image/vnd.microsoft.icon">
 <meta name="description" content="Concise presentations of java programming practices, tasks, and conventions, amply illustrated with syntax highlighted code examples.">
 
 <meta name='keywords' content='java,java programming,java practices,java idiom,java style,java design patterns,java coding conventions,'>
 
 
</head>
 
<body>


<div class='menu-bar'>
 
  <a href='../home/HomeAction.html' title='Table of Contents'>Home</a> |
  <a href='../vote/VoteSummaryAction-2.html' title='View Poll Results'>Poll</a> |
   
  <A href='../feedback/FeedbackAction451f-2.html?Operation=Show' title='Send Your Feedback'>Wiki</a> |
  <b><a href='../source/SourceAction-2.html' title='Grab Source Code'>Source Code</a></b><IMG class='no-margin' SRC="../images/goldstar.gif" ALT=""> |

  <a href='http://www.web4j.com/Java_Web_Application_Framework_Overview.jsp?From=1' title='Free Download - Java Web Application Framework'><b>WEB4J</b></a> |
  
  <a href='http://www.date4j.net/' title='Replacement for java.util.Date'><b>DATE4J</b></a> |

   <a href='../references/ReferencesAction-2.html' title='References'>Links</a>
   
  <form action='http://www.javapractices.com/search/SearchAction.do' method='get' class='search-form'>
   <input type='text' name='SearchTerms' value="" size=12 maxlength=50 class='search'>
   <input type='submit' value="Search">
  </form>
 
</div>

<P>



  

 






<p class="display-messages">

 

 

</p>


<div class="main-layout">
 
   

 




<div class='page-title'>Beware of common hacks</div>

<div class='main-body'>
 
<br>
<h3>SQL Injection Attacks</h3>
<a href='http://www.owasp.org/index.php/SQL_Injection'>SQL Injection attacks</a> use crafted, unusual user input to cause undesired SQL statements to be executed.
An application is vulnerable to such attacks whenever it builds SQL statements directly out of raw user input.
If an application builds SQL statements out of user input by using <tt>PreparedStatement</tt> <i>correctly</i>, then it will be protected from SQL injection attacks.
If, on the other hand, it uses <tt>Statement</tt> to dynamically build SQL, or uses <tt>PreparedStatement</tt> <i>incorrectly</i> then it will <em>not</em> be protected from such attacks.

<h3>Cross-Site Scripting (XSS) Attacks</h3>
HTML allows for scripting. 
Scripting is dangerous, since it allows all kinds of code to execute on the client, where it has access to the user's private environment. 
Scripts should only be allowed under tightly controlled circumstances.
<span class='highlight'>If you do not exercise care, it is <em>very easy</em> to create web applications that allow users to enter malicious scripts as regular data.</span> 
When such malicious input is later fetched from the database and rendered in a view, it becomes available for execution by the browser. 

<P>Note that such scripts will execute in <em>any</em> browser that renders the data, not just for the browser of the hacker who happened to enter the script. 
When the malicious script is executing in an innocent victim's browser, it gets access to sensitive information, and sends it back to the hacker.
This is called a <a href='http://www.owasp.org/index.php/Cross_Site_Scripting'>Cross-Site Scripting</a> (XSS) attack.

<P>To prevent XSS attacks, ask yourself two questions : 
<ul>
<li>can this form control accept a script as input?
<li>if so, how will the script be disabled when the user input is ultimately rendered in a page?
</ul>

Let's take this mock form as an example (POSTing this form does nothing) :

<P><form method="GET" action="http://www.javapractices.com/topic/Topic217.cjp">
 <table border='1' cellpadding='3' cellspacing='0' align='center'>
  <tr>
   <td>Movie Title :</td> 
   <td><input type='text' name='Title'></td>
  </tr>
  <tr>
   <td>Movie Decade :</td>  
   <td> 
    <select>
     <option>2000</option>
     <option>1990</option>
     <option>1980</option>
     <option>1970</option>
     <option>1960</option>
     <option>1950</option>
     <option>1940</option>
     <option>1930</option>
     <option>1920</option>
    </select>
   </td>
  </tr>
  <tr>
   <td colspan='2'><input type='submit' value='Submit'></td>
  </tr>
  <tr>
 </table>
</form>
</P>

<P>
When the user POSTs this form, the data should always be validated as strongly as possible by the server. 
For instance, the <tt>Movie Decade</tt> should be checked against a fixed set of values, to ensure that form has not been altered by a malicious user.
If the <tt>Movie Decade</tt> is indeed checked in such a manner, then it is not possible for the user to enter an arbitrary script as a value for the decade.
<em>If such strong checks are performed</em>, then no special precautions against XSS attacks are needed.

<P>The <tt>Movie Title</tt> is a different story, however. 
Since it is free-form user input, it is not possible to tightly constrain the <tt>Movie Title</tt>.  
The server cannot perform tight validation checks on its content, since there is no 'whitelist' of allowed values.

<P>In this case, the user may indeed enter a script. 
<span class='highlight'>To prevent the script from being activated when rendered in a page as regular data, special care must be taken: any special characters in free-form user input must be escaped.</span> 
The Open Web App Security Project recommends that you escape these 12 characters :

<P><table border='1' cellpadding='3' cellspacing='0' align='center'>
 <tr><th> Character </th><th> Encoding </th></tr>
 <tr><td> &lt; </td><td> &amp;lt; </td></tr>

 <tr><td> &gt; </td><td> &amp;gt; </td></tr>
 <tr><td> &amp; </td><td> &amp;amp; </td></tr>
 <tr><td> " </td><td> &amp;quot;</td></tr>

 <tr><td> ' </td><td> &amp;#039;</td></tr>
 <tr><td> ( </td><td> &amp;#040;</td></tr> 
 <tr><td> ) </td><td> &amp;#041;</td></tr>

 <tr><td> # </td><td> &amp;#035;</td></tr>
 <tr><td> % </td><td> &amp;#037;</td></tr>
 <tr><td> ; </td><td> &amp;#059;</td></tr>

 <tr><td> + </td><td> &amp;#043; </td></tr>
 <tr><td> - </td><td> &amp;#045; </td></tr>
</table>
</P>

<P>The escaping can be performed in various places : 
<ul>
<li>in the view, when the data is ultimately rendered
<li>in the Model Object
<li>in the database
</ul>

<P>The <a href='TopicAction5f31-2.html'>WEB4J</a> tool, for example, recommends performing the escaping in the Model Object, by using its 
<tt>SafeText</tt> class to model free-form user input instead of <tt>String</tt>. 

<P>In any case, remember that data <a href='TopicAction2c82-2.html'>should not be escaped more than once</a>.

<P>Note as well that JSTL's <tt>&lt;c:out&gt;</tt> tag performs escaping only for <em>XML</em> (5 characters), and not for <em>HTML</em> (12 characters).
In addition, note that the JSP Expression Language performs no escaping at all.


<h3>Cross-Site Request Forgery (CSRF) Attacks</h3>
The fundamental idea in a <a href='http://www.owasp.org/index.php/Cross-Site_Request_Forgery'>Cross-Site Request Forgery</a> (CSRF) is that of hijacking a victim's session to perform a malicious task.
Since the session becomes available to the hacker, the hacker can perform tasks that would otherwise not be possible.

<P>For example, consider a simple logoff operation. 
On many sites, logging off is implemented with a simple <em>link</em> (<tt>GET</tt>), and not a <tt>POSTed form</tt>. 
A hacker can log you off such a site <em>simply by sending you an email</em>. Here is the scenario:
<ul>
 <li>you legitimately log in to the target site
 <li>the hacker sends you an email containing a bogus <tt>IMG</tt> tag whose <tt>'src'</tt> attribute points to the logoff link
 <li>you receive the email and open it in some client (while still logged in)
 <li>your email client automatically parses the email content
 <li>when the <tt>IMG</tt> tag is encountered, your email client extracts the <tt>src</tt> target and <em>sends an HTTP</em> <tt>GET</tt> <em>request over the network</em>, ostensibly to fetch the 'image'
 <li>bingo! you are now logged out, just by opening an email
</ul>
 
(This is why many email clients suppress the display of images.)

<P>Defending against CSRF attacks isn't as simple as defending against XSS attacks. Usually, the defenses 
take this form :
<ul>
<li><em>for operations that have side-effects</em> of any kind, use a form with <tt>method='POST'</tt> (database edits, logging off)
<li><em>for operations without any side-effects</em>, use either a form with <tt>method='GET'</tt> (listings, reports, search operations) or a link
<li>for each user login, create a random, hard-to-guess token, and store it in the session. 
This token (also called a <i>nonce</i>) is injected as a hidden parameter into each form served by your application. 
For each POSTed form, the server verifies that the hidden parameter is present, and has the expected value for the current session.
All of this has the intent of answering a simple question : <em>'Did this POSTed form really come originally from the legitimate server, or from some unknown third party?'</em>
<li>specify the <tt>content-type</tt> of the response as an HTTP header. 
When using form tokens, the <tt>content-type</tt> lets tools know when you are serving HTML -  
if your are serving plain text or XML, then there is no need to inject form tokens.
</ul>

Your web app framework should assist you in defending against CSRF attacks. With servlets, it is common to provide 
a Filter to generate and validate the special form token.

<br>
<br>

</div>




<div class='topic-section'>See Also :</div>
<div class='main-body'>
 
  
  <a href='TopicAction2c82-2.html?Id=201'>Beware of doubly escaped ampersands</a> <br>
 
  
  <a href='TopicActiona657-2.html?Id=212'>Prefer PreparedStatement</a> <br>
 
</div>


<div class='topic-section'>Would you use this technique?</div>
<div class='main-body'>
  
  <form action="http://www.javapractices.com/vote/AddVoteAction.do" method='post'>
    Yes<input type='radio' name='Choice' value='Y' >
    &nbsp;&nbsp;No<input type='radio' name='Choice' value='N'>
    &nbsp;&nbsp;Undecided<input type='radio' name='Choice' value="?" >
    &nbsp;&nbsp;<input type=submit value="Vote" >
    <input type='hidden' name='Operation' value='Apply'>
    <input type='hidden' name='TopicId' value='217'>
  </form>
</div>

<div style='height:10.0em;'></div>

 
 
</div>

  

 





<div align='center' class='legalese'>  
&copy; 2011 Hirondelle Systems |
<a href='../source/SourceAction-2.html'><b>Source Code</b></a><IMG class='no-margin' SRC="../images/goldstar.gif" ALT=""> |
<a href="mailto:webmaster@javapractices.com">Contact</a> |
<a href="http://creativecommons.org/licenses/by-nc-sa/1.0/">License</a> |
<a href='../apps/cjp.rss'>RSS</a>
<!-- ukey="2AC36CD2" -->
<!-- ckey="16DF3D87" -->
<br>

 Individual code snippets can be used under this <a href='../LICENSE.txt'>BSD license</a> - Last updated on June 6, 2010.<br>
 Over 150,000 unique IPs last month - <span title='Java Practices 2.6.5, Mon May 16 00:00:00 EDT 2011'>Built with</span> <a href='http://www.web4j.com/'>WEB4J</a>.<br>
 - In Memoriam : Bill Dirani -
</div>

<script src="../../www.google-analytics.com/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-2633428-1";
urchinTracker();
</script>



</body>

<!-- Mirrored from www.javapractices.com/topic/TopicAction.do;jsessionid=4FCCB481C702D708A7360133D128E359?Id=217 by HTTrack Website Copier/3.x [XR&CO'2010], Sun, 12 Jun 2011 17:26:56 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8"><!-- /Added by HTTrack -->
</html>
